CVE-2022-2839

Name of the Vulnerable Software and Affected Versions Zephyr Project Manager versions prior to 3.2.55

Description The issue concerns a lack of authorization and CSRF protection in all AJAX actions of the plugin, allowing unauthenticated users to call these actions directly or through CSRF attacks. Additionally, due to insufficient sanitization and escaping, this could also enable Stored Cross-Site Scripting attacks against connected administrators.

Recommendations For versions prior to 3.2.55, update to version 3.2.55 or later to resolve the issue. As a temporary workaround, consider restricting access to AJAX actions to minimize the risk of exploitation.